Support Questions
Find answers, ask questions, and share your expertise

Ranger usersync 401 unauthorized

Explorer

having trouble with Ranger usersync from Active Directory. Just trying ldap, not ldaps at the moment. I can see in the usersync.log that it connect to my AD server & finds the users and groups I have set in my filters. When it goes to try to push these into Ranger, I'm getting

com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized

It looks like the usersync can't push to Ranger.

1 ACCEPTED SOLUTION

Explorer

we ended up just dropping the cluster, deploying Ranger & Ranger usersync, then enabling Kerberos. works perfect if you deploy ranger first.

View solution in original post

13 REPLIES 13

Is this kerberos env? If so make sure all the necessary keytabs are there with right permissions.

Explorer

yes, kerberos is enabled. I see a rangerusersync.service.keytab, rangeradmin.service.keytab, and rangerlookup.service.keytab in /etc/security/keytabs all owned by ranger

Do you see any errors in ranger usersync log or ranger admin log?

Explorer

yes. here is the full error I'm seeing

com.sun.jersey.api.client.UniformInterfaceException: GET http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000&startIndex=0 returned a response status of 401 Unauthorized
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:686)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildGroupList(PolicyMgrUserGroupBuilder.java:429)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.access$000(PolicyMgrUserGroupBuilder.java:72)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:180)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder$1.run(PolicyMgrUserGroupBuilder.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.buildUserGroupInfo(PolicyMgrUserGroupBuilder.java:176)
at org.apache.ranger.unixusersync.process.PolicyMgrUserGroupBuilder.init(PolicyMgrUserGroupBuilder.java:163)
at org.apache.ranger.usergroupsync.UserGroupSync.run(UserGroupSync.java:51)
at java.lang.Thread.run(Thread.java:745)

when I look in the ranger database, I see the following users: Admin, rangerusersync, keyadmin, rangertagsync. So the rangerusersync user exists.

Do you see any error on ranger admin log? Is there core-site.xml under /etc/ranger/admin/conf ?

What is the HDP version?

Explorer

yes, there is a core-site.xml under /etc/ranger/admin/conf. There are errors in my xa_portal.log. I will attach a .zip with the core-site.xml and xa_portal.log. This is HDF not HDP but the Ranger distro is the same between the builds. HDF 3.0.1 cworkhdfissue.zip

I don't see any related errors. You can enable DEBUG and kerberos debug to get more info. Also zip does not contain core-site.xml

Explorer

I see how to enable DEBUG for Ranger admin, but not certain where you're talking about enabling for Kerberos.

https://community.hortonworks.com/content/supportkb/49445/how-to-enable-debug-logging-for-ranger-adm...

cworkhdfcore-site.xml

You need to make sure rangerusersync is sending kerberos request.

To enable kerberos debug, you can add below arguments to ranger start via JAVA_OPTS in ranger-admin-services.sh

-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true -Djava.security.debug="logincontext,policy,scl,gssloginconfig"

Explorer

cworkhdfnew-folderusersync-issue2.zip I believe I enabled correctly & restarted. when I check the log files I don't see any extra Kerberos information.

Kerberos debug messages will be in catalina.out

Not sure if ranger admin is properly spnego enabled. Please enable DEBUG for ranger admin logs.

One thing you can try is to manually kinit using rangerusersync keytab and perform the same request via Curl. http://fit-d-selgsv-21.sentry.com:6080/service/xusers/groups/?pageSize=1000☆tIndex=0

Explorer

is there a way to change the usersync account so that it uses just username/password instead of Kerberos?

Explorer

we ended up just dropping the cluster, deploying Ranger & Ranger usersync, then enabling Kerberos. works perfect if you deploy ranger first.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.